Regulation and Power Grid Resilience
Reforming CIP regulations to build cyber-resilience
The electric power sector is perhaps the most critical of all critical infrastructure sectors. Without electricity, clean water cannot be pumped, hospitals do not operate, financial institutions shut down, and transportation systems freeze. Unfortunately the reliability of the power grid is threatened by a variety of hazards, including those related to cyber-incidents, both intentional attacks and accidental failures. In the United States, Critical Infrastructure Protection (CIP) standards are designed to ensure that the power grid is resilient to such cyber incidents, but their effectiveness is a matter of considerable dispute. This study, conducted by Stanford’s Center for International Security and Cooperation (CISAC) and funded by the Department of Homeland Security, examines the impacts of regulatory standards and practices on the resilience of the power grid, and aims to develop recommendations for improvement.
There is currently no consensus over the effectiveness of CIP standards. Some describe the standards favorably, arguing that they have increased risk awareness and risk reduction resources. Others argue that the standards are expensive and time-consuming ‘check box’ exercises that direct attention and resources away from achieving real security. Researching the effect that the CIP standards have had on utility companies—both positive and negative— can provide the evidence necessary for reforms in the design and implementation of standards as well as help both regulators and utility companies better manage risks.
The project seeks input from all stakeholders involved in regulation — including technical experts, compliance officers, and regulators themselves — who work both inside and outside the United States. Participation is completely voluntary, and is an opportunity to provide input as to the effectiveness of standards and how they could be improved. The identities of participants and their organizations are confidential and will not be disclosed to anyone other than the three project researchers. Interview and survey questions will be kept at a very general level to avoid gathering any sensitive information. Results will be available publicly, but will be presented carefully to avoid compromising security or the anonymity of participants or their organizations.
Aaron Clark-Ginsberg is a U.S. Department of Homeland Security Cybersecurity Postdoctoral Scholar at CISAC. His research interests center on the theory and practice of disaster risk governance, particularly resilience and disaster risk reduction approaches.
Rebecca Slayton is Assistant Professor at Cornell University with a joint appointment in the Science & Technology Studies Department and the Judith Reppy Institute for Peace and Conflict Studies. Her research examines how different kinds of experts assess the risks of new technology, and how their arguments gain influence in distinctive organizational and political contexts. She is currently studying efforts to manage the diverse risks—economic, environmental, and security—associated with a “smarter” electrical grid.
Dr. Herb Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Research Fellow at the Hoover Institution, both at Stanford University. His research interests relate broadly to policy-related dimensions of cybersecurity and cyberspace, and he is particularly interested in and knowledgeable about the use of offensive operations in cyberspace, especially as instruments of national policy.
For any queries please contact Aaron Clark-Ginsberg at email@example.com.